Versions of Kerberos Version 5

Version 5 of Kerberos is the most recent version. Changes in the protocol have solved a
number of security problems from version 4.
 

MIT Kerberos Version 5
MIT Kerberos version 5 is freely available and is available from the same site as version 4 MIT
via anonymous FTP from athena-dist.mit.edu (18.71.0.38).

OSF DCE Security
The Open Systems Foundation (OSF) has defined a Distributed Computing Environment
(DCE) with security based on Kerberos version 5, and using the same wire protocol. However,
applications from two systems use the protocol in different ways, so the actual interoperability
between Kerberos and DCE is limited. Because DCE is defined as an open standard, it is up to
manufacturers to provide products that fit into that standard. More and more manufacturers
are providing DCE-compliant products, and it is now possible to assemble a complete DCEcompliant
security environment by selecting DCE-compliant vendors.

Bones
Kerberos is a network security system that relies on cryptographic methods for its security.
Because Kerberos’ encryption system, DES, cannot be exported, Kerberos itself cannot be exported or used outside the United States and Canada in its original form. Bones is a system
that provides the Kerberos API without using encryption and without providing any form of
security—it’s a fake that enables the use of software that expects Kerberos to be present when it
cannot be.
Note: Bones possesses the property of there being absolutely no question about its legality
concerning transportation of its source code across national boundaries. It neither
has any encryption routines nor any calls to encryption routines.
You can obtain a working copy of Bones through anonymous FTP from ftp.funet.fi
(128.214.6.100) in pub/unix/security/kerberos. A DES library is available at the same location.

SESAME
SESAME is an initiative of the European community to produce a compatible product to
Kerberos version 5. SESAME-compatible systems are accessible through Kerberos and vice
versa. SESAME makes use of DES software developed outside North America, and is not
subject to export restrictions. Information on SESAME is available from http://
www.esat.kuleuven.ac.be/cosic/sesame3.html.

Versions of Kerberos

Several different versions and distributions of Kerberos are available. Most of them are based
on MIT distributions in one form or another, but the lineage isn’t always simple to trace. The
newest version of MIT Kerberos is version 5. Versions 4 and 5 are based on completely
different protocols. The MIT Kerberos version 5 distribution contains some compatibility
code to support conversion from version 4: 

• The Kerberos version 5 server can optionally service version 4 requests.
• A program enables users to convert a version 4 format Kerberos database to a version 5
  format database.
• An administration server that accepts version 4 protocol and operates on a version 5 database.

Some distributions are freely available, some are stand-alone commercial products, and others
are part of a larger free or commercial system.
Versions of Kerberos Version 4
There are several VERSION 4 distributions available. Because version 4 is not totally compatible
with version 5, organizations starting new Kerberos installations should consider starting
at version 5.
MIT Kerberos Version 4 Availability
MIT version 4 is freely available in the U.S. and Canada through anonymous FTP from
athena-dist.mit.edu (18.71.0.38). For specific instructions, change to the pub/Kerberos directory and download the file README.KRB4 (for version 4) or README.KRB5 (for
version 5), both of which are text files that explain the export restrictions and contain detailed
instructions on how to download the source code via anonymous FTP. Locations outside
North America may use the Bones version.
Transarc Kerberos
A second distribution of Kerberos version 4 is available as a commercial product from
Transarc. Years ago, the designers of AFS decided to implement their own security system
based on the Kerberos specification rather than using MIT Kerberos version 4, which then was
not publicly available. Consequently, Transarc’s AFS Kerberos speaks a slightly different
protocol but also understands the MIT Kerberos version 4 protocol. They can, in principal,
talk to each other. Enough annoying incompatible details, however, make it impractical.
DEC Ultrix Kerberos
A third distribution of Kerberos version 4 is available from Digital Equipment Corporation.
Aside from a few changes, DEC’s commercial version essentially matches MIT Kerberos
version 4.

Checksums

The following structure is used for a checksum:

Checksum = {

                        cksumtype[0] INTEGER,

                        checksum[1] BYTE STRING

}

·          

•     cksumtype. Indicates the algorithm used to generate the accompanying checksum.
•         checksum. Contains the checksum itself, encoded as byte string.

Negative values for the checksum type are reserved for local use. All non-negative values are reserved for officially assigned type fields and interpretations.

Kerberos supports a variety of checksums. In addition, specific implementations may also support implementation-specific checksums. The following sections describe the standard checksums supported by Kerberos. Selection of a specific checksum is up to the application providing the information.

Note Kerberos uses checksums that can be classified by two properties: whether they’re collision-proof and whether they’re keyed. A checksum is said to be collision-proof if finding two plaintexts that  enerate the same checksum value is infeasible. This means that it is not possible for someone to change a message in a manner that leaves the checksum unchanged. Any change to the message makes an unpredictable change to the checksum.

A keyed checksum requires a key to perturb or initialize the algorithm. Keyed checksums are usually cryptographically based. This makes them collision-proof, because the randomizing effect of the encryption makes it impossible to predict the change to the checksum of any change in the message.

To prevent message-stream modification by an active attacker, unkeyed checksums should be used only when the checksum and message will be subsequently encrypted. For example, the checksums defined as part of the encryption algorithms covered earlier in this section are encrypted.

Collision-proof checksums can be made tamperproof as well if the checksum value is encrypted before inclusion in a message. In such cases, combining the checksum and the encryption algorithm is considered a separate checksum algorithm. RSA-MD5 encrypted using DES is a new checksum algorithm of type RSA-MD5-DES. For most keyed checksums, as well as for the encrypted forms of collision-proof checksums, Kerberos prepends a confounder before calculating the checksum.

The CRC-32 Checksum (crc32)

The CRC-32 checksum calculates a checksum based on a cyclic redundancy check as described in ISO 3309. The resulting checksum is four bytes long. The CRC-32 is neither keyed nor collision-proof. Using this checksum is not recommended, because an attacker might be able to generate an alternative message that satisfies the checksum. Use collision-proof checksums for environments in which such attacks represent a significant threat such as the Internet, or an application with high value information.

Hacking Tips & Tricks....: Encryption Keys & Encryption Systems

Hacking Tips & Tricks....: Encryption Keys & Encryption Systems: Kerberos maintains a database of active encryption keys. The following structure shows the encoding of an encryption key: Encrypti...

Encryption Keys & Encryption Systems

Kerberos maintains a database of active encryption keys. The following structure shows the encoding of an encryption key:

EncryptionKey =

{

keytype[0] INTEGER,

keyvalue[1] BYTE STRING

}

• keytype. Specifies the type of encryption key that follows in the keyvalue field. It almost always corresponds to the encryption algorithm used to generate the encrypted data, though more than one algorithm may use the same type of key (the mapping is many to one). This might happen, for example, if the encryption algorithm uses an alternative checksum algorithm for an integrity check or a different chaining mechanism.
• keyvalue. Contains the key itself, encoded as a byte string.

All negative values for the encryption key type are reserved for local use. All non-negative values are reserved for officially assigned type fields and interpretations.

Encryption Systems

Kerberos defines a number of encryption systems that may be selected for use in a message. In addition, it also provides a mechanism for a developer to add his own encryption method. When a principal sends a message using an encryption method, the destination principal must also support the encryption method. If it doesn’t, an error message will be returned.

The NULL Encryption System (null)

If no encryption is in use, the encryption system is said to be a NULL encryption system. A NULL encryption system has no checksum, confounder, or padding. The ciphertext simply is the plaintext. The NULL encryption system uses the NULL key, which is zero bytes in length and has keytype zero (0).

DES in CBC Mode with a CRC-32 Checksum (des-cbc-crc)

The des-cbc-crc encryption mode encrypts information under the Data Encryption Standard using the Cipher Block Chaining (CBC) mode. A CRC-32 checksum is applied to the confounder and message sequence and placed in the checksum field. The details of the encryption of this data are identical to those for the des-cbc-md5 encryption mode.

Because the CRC-32 checksum is not collision-proof, different messages can be generated having the same checksum. An attacker could use a probabilistic chosen plaintext attack to generate a valid message, even in the face of a confounder. Using collision-proof checksums is recommended for environments in which such attacks represent a significant threat. Any time the message will pass through a hostile environment, such as the Internet, or any time the message has great value, as in financial transactions, a collision-proof checksum should be used.

Note:  Using the CRC-32 as the checksum for ticket or authenticator no longer is mandated as an interoperability requirement for Kerberos version 5 Specification 1.

DES in CBC Mode with an MD4 Checksum (des-cbc-md4)

The des-cbc-md4 encryption mode encrypts information under DES using the Cipher Block Chaining mode. An MD4 checksum is applied to the confounder and message sequence (msgseq) and placed in the cksum field. The details of the encryption of this data are identical to those for the des-cbc-md5 encryption mode.

DES in CBC Mode with an MD5 Checksum (des-cbc-md5)

The des-cbc-md5 encryption mode encrypts information under the Data Encryption Standard using the Cipher Block Chaining mode. An MD5 checksum is applied to the confounder and message sequence and placed in the cksum field.

Plaintext and DES ciphertext are encoded as 8-byte blocks that are concatenated to make the 64-bit inputs for the DES algorithms. As a result, the data to be encrypted must be padded to an 8-byte boundary before encryption. Encryption under DES using Cipher Block Chaining requires an additional input in the form of an initialization vector. Unless otherwise specified, zero should be used as the initialization vector. Kerberos’ use of DES requires an 8-byte confounder.

The DES specifications identify some weak and semi-weak keys. Those keys are not to be used for encrypting Kerberos messages. Because of the way that keys are derived for the encryption of checksums, keys shall not be used that yield weak or semi-weak keys when eXclusive-ORed with the constant F0F0F0F0F0F0F0F0.

A DES key is 8-bytes of data, with keytype one (1). This consists of 56 bits of key, and 8 parity bits (one per byte). To generate a DES key from a password, the password normally must have the Kerberos realm name and each component of the principal’s name appended, then padded with ASCII nulls to an 8-byte boundary. This string is then fan-folded and eXclusive-ORed with itself to form an 8-byte DES key. The parity is corrected on the key, and it is used to generate a DES-CBC checksum on the initial string (with the realm and name appended). Next, parity is corrected on the CBC checksum. If the result matches a “weak” or “semi-weak” key as described in the DES specification, it is eXclusive-ORed with the constant 00000000000000F0. Finally, the result is returned as the key.

Hacking Tips & Tricks....: Encryption Specifications

Hacking Tips & Tricks....: Encryption Specifications: The following structure describes all encrypted messages. The encrypted field that appears in the unencrypted part of messages is a se...

Encryption Specifications

The following structure describes all encrypted messages. The encrypted field that appears in the unencrypted part of messages is a sequence that consists of an encryption type, an optional key version number, and the ciphertext.

EncryptedData = 

{

etype[0] INTEGER -- Encryption Type

kvno[1] INTEGER OPTIONAL,

cipher[2] BYTE STRING -- ciphertext

}

• etype. Identifies the encryption algorithm used to encrypt the cipher.
• kvno. Contains the version number of the key under which data is encrypted. Present in messages encrypted under long-lasting keys, such as principals’ secret keys. Used to determine which key to use when a ticket is valid across a change in key, such as when a user changes his password.
• cipher. Contains the encrypted field(s).

The cipher field is generated by applying the specified encryption algorithm to data composed of the message and algorithm-specific inputs. Encryption mechanisms defined for use with Kerberos must take sufficient measures to guarantee the integrity of the plaintext. The protections often can be enhanced by adding a checksum and a confounder.

The suggested format for the data to be encrypted includes a confounder, a checksum, the encoded plaintext, and any necessary padding. The msg-seq field contains the part of the protocol message that is to be encrypted. The format for the data to be encrypted is described in the following:

{

confounder[0] BYTE STRING(conf_length) OPTIONAL,

check[1] BYTE STRING(checksum_length) OPTIONAL,

msg-seq[2] MsgSequence,

pad BYTE STRING(pad_length) OPTIONAL

}

The first step is to create a confounder. The confounder is a random sequence the same length as the encryption blocking length. Its purpose is to confuse or confound certain types of brute force attacks. The second step is to zero out the checksum. Next, calculate the appropriate checksum over confounder, the zeroed checksum, and the message. Place the result in the checksum. Add the necessary padding to bring the total length to a multiple of the encryption blocking length. Encrypt using the specified encryption type and the appropriate key.

Unless otherwise specified, a definition of a Kerberos encryption algorithm uses this ciphertext format. The ordering of the fields in the ciphertext is important. Additionally, messages encoded in this format must include a length as part of the message field, to enable the recipient to verify that the message has not been truncated. Without a length, an attacker could generate a message that could be truncated, leaving the checksum intact.

To enable all implementations using a particular encryption type to communicate with all others using that type, the specification of an encryption type defines any checksum needed as part of the encryption process. If an alternative checksum is to be used, a new encryption type must be defined.

Some encryption systems require additional information beyond the key and the data to be encrypted. When DES is used in Cipher Block Chaining mode, for example, it requires an initialization vector. If required, the description for each encryption type must specify the source of such additional information.